本文章不是本人所写,转载他人 原地址找不到了
/ ip firewall mangle
add chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn passthrough=yes comment="" disabled=no
add chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p passthrough=yes comment="" disabled=no
add chain=forward connection-mark=!p2p_conn action=mark-packet new-packet-mark=general passthrough=yes comment="" disabled=no
add chain=forward packet-size=32-512 action=mark-packet new-packet-mark=small passthrough=yes comment="" disabled=no
add chain=forward packet-size=512-1200 action=mark-packet new-packet-mark=big passthrough=yes comment="" disabled=no
/ queue tree
add name="p2p1" parent=TEL packet-mark=p2p limit-at=2000000 queue=default priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="p2p2" parent=LAN packet-mark=p2p limit-at=2000000 queue=default priority=8 max-limit=6000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="ClassA" parent=LAN packet-mark="" limit-at=0 queue=default priority=8 max-limit=100000000 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="ClassB" parent=ClassA packet-mark="" limit-at=0 queue=default priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Leaf1" parent=ClassA packet-mark=general limit-at=0 queue=default priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Leaf2" parent=ClassB packet-mark=small limit-at=0 queue=default priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="Leaf3" parent=ClassB packet-mark=big limit-at=0 queue=default priority=6 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
1-8级优先级控制,数字越小优先级越高
LAN内网接口
TEL 外网接口
SMALL 小包 32-512字节 5级优先级
BIG 大包 512-1200字节 6级优先级
general 其它包 1200-1500字节 7级优先级
P2P类 8级优先,全局限速 600KB/S下载
Leaf 子类
分层的令牌桶HTB
HTB (Hierarchical Token Bucket) is a classful queuing discipline that is useful for
applying different handling for different kinds of traffic. Generally, we can set only
one queue for an interface, but in RouterOS queues are attached to the main
Hierarchical Token Bucket (HTB) and thus have some properties derived from that
parent queue. For example, we can set a maximum data rate for a workgroup and
then distribute that amount of traffic between the members of that workgroup.
HTB是用于流量分类控制的经典理论。通常只对一个接口进行流量控制,但ROS使用了HTB理论,
比如说,可以先限制一个工作组的流量然后在此工作组内部再一次细分流量。流量控制还挺复杂
的,神仙觉得。
Each class in the hierarchy can prioritize and shape traffic. There are 2 main
parameters in RouterOS :
* limit-at - data rate that is guaranteed to a class (CIR)
* max-limit - maximal data rate that is allowed for a class to reach (MIR)
两个主要参数:
limit-at : 稳定速率
max-limit : 最大速率
* CIR(Committed Information Rate) - the guaranteed data rate. It means that traffic
rate, not exceeding this value should always be delivered
* MIR(Maximal Information Rate) - the maximal data rate router will provide
CIR:保底速率。不超过这个的速率总是允许的
MIR:最大速率
Each HTB class can be in one of 3 states, depending on data rate that it consumes:
每个HTB层级都有三种状态:绿、黄、红(winbox中queue可以看到三种颜色的图标)
* green - a class the actual rate of which is equal or less than limit-at. At this state,
the class is attached to self slot at the corresponding priority at its level, and is
allowed to satisfy its limit-at limitation regardless of what limitations its parents
have. For example, if we have a leaf class with limit-at=512000 and its parent has
max-limit=limit-at=128000, the class will get its 512kbps!
绿色:指当前速率小于或等于稳定速率(limit-at)。这个状态下,当前层级由自己自行控制,不受
上级层级控制。比如说,如果某个层级设定的稳定速率为512kbps,其上级层级的稳定速率设定为
128kbps,那么此层级在绿色状态下享受512kbps的速率
* yellow - a class the actual rate of which is greater than limit-at and equal or less
than max-limit. At this state, the class is attached to the inner slot of the
corresponding priority of its parent's inner feed, which, in turn, maybe attached
to either its parent's inner slot of the same priority(in case the parent is also yellow),
or to its own level self slot of the same priority (in case the parent is green). Upon
the transition to this state, the class 'disconnects' from self feed of its level,
and 'connects' to its parent's inner feed
***:批当前速率大于稳定速率但不大于最大速率。这个状态下,当前层级由其上级层级控制(其
上级如果也处于***状态则继续此规则,即由上级的上级控制)。
* red - a class the actual rate of which exceeds max-limit. This class cannot borrow
rate from its parent class
红色:指当前速率超过了最大速率。此层级不能从其上级层级分得任何流量
Bursts
突发速率
Bursts are used to allow higher data rates for a short period of time. Every second,
the router calculates the average data rate of each class over the last burst-time
seconds. If this average data rate is less than burst-threshold, burst is enabled
and the actual data rate reaches burst-limit bps, otherwise the actual data rate falls
to max-limit or limit-at.
突发速率用于短时间内的超高速率数据传送。路由器每秒种都在计算前一时间段(burst-time)的平
均速率。如果平均速率低于设定的阀值(burst-threshold),就允许其使用突发速率(burst-
limit),否则就会降低到稳定速率或最大速率
Let us consider that we have a setup, where max-limit=256000, burst-time=8, burst-
threshold=192000 and burst-limit=512000. When a user is starting to download a
file via HTTP,we can observe such a situation: At the beginning the average data
rate over the last 8 seconds is 0bps because before applying the queue rule no
traffic was passed, using this rule. Since this average data rate is less than burst-
threshold (192kbps), burst is allowed. After the first second, the average data rate
is (0+0+0+0+0+0+0+512)/8 = 64kbps, which is under burst-threshold. After the
second second, average data rate is (0+0+0+0+0+0+512+512)/8 = 128kbps. After
the third second comes the breakpoint when the average data rate becomes larger
than burst-threshold. At this moment burst is disabled and the current data rate falls
down to max-limit(256kbps).
举例说明:
假设我们设置最大速率(max-limit)为256k,时间段(burst-time)为8秒,阀值为192k,突发速率
(burst-limit)为512k,当用户下载文件时可以观察到:
开始下载的前8秒速率为0,小于阀值192,所以允许达到突发速率即512;
1秒钟后,前8秒的平均速率为64(0+0+0+0+0+0+0+512)/8=64,仍然小于阀值192,所以继续
使用突发速率512;
2秒钟后,前8秒的平均速率为(0+0+0+0+0+0+512+512)/8=128;
3秒钟后,再次计算平均速率为(0+0+0+0+0+512+512+512)/8=192,达到了阀值192,所以,
3秒钟后此用户已不再允许使用突发速率,只能使用允许的最大速率了,即256kbps
设置最多3秒的突发速率
limit-at burst-threshold max-limit burst-limit burst-time
128 192 256 512 8s
128 384k 512 2048 16s
mss和MTU2008-03-03 23:53先说一段话。。
MTU与MSS值到底设置为多少?
MTU: Maxitum Transmission Unit 最大传输单元
MSS: Maxitum Segment Size 最大分段大小
PPPoE: PPP Over Ethernet(在以太网上承载PPP协议)
[分析过程]
先说说这MTU最大传输单元,这个最大传输单元实际上和链路层协议有着密切的关系,让我们先仔细回忆一下EthernetII帧的结构DMAC+SMAC+Type+Data+CRC由于以太网传输电气方面的限制,每个以太网帧都有最小的大小64bytes最大不能超过1518bytes,对于小于或者大于这个限制的以太网帧我们都可以视之为错误的数据帧,一般的以太网转发设备会丢弃这些数据帧。(注:小于64Bytes的数据帧一般是由于以太网冲突产生的“碎片”或者线路干扰或者坏的以太网接口产生的,对于大于1518Bytes的数据帧我们一般把它叫做Giant帧,这种一般是由于线路干扰或者坏的以太网口产生)。
由于以太网EthernetII最大的数据帧是1518Bytes这样,刨去以太网帧的帧头(DMAC目的MAC地址48bit=6Bytes+SMAC源MAC地址48bit=6Bytes+Type域2bytes)14Bytes和帧尾CRC校验部分4Bytes(这个部门有时候大家也把它叫做FCS),那么剩下承载上层协议的地方也就是Data域最大就只能有1500Bytes这个值我们就把它称之为MTU。这个就是网络层协议非常关心的地方,因为网络层协议比如IP协议会根据这个值来决定是否把上层传下来的数据进行分片。就好比一个盒子没法装下一大块面包,我们需要把面包切成片,装在多个盒子里面一样的道理。当两台远程PC互联的时候,它们的数据需要穿过很多的路由器和各种各样的网络媒介才能到达对端,网络中不同媒介的MTU各不相同,就好比一长段的水管,由不同粗细的水管组成(MTU不同 )通过这段水管最大水量就要由中间最细的水管决定。
对于网络层的上层协议而言(我们以TCP/IP协议族为例)它们对水管粗细不在意它们认为这个是网络层的事情。网络层IP协议会检查每个从上层协议下来的数据包的大小,并根据本机MTU的大小决定是否作“分片”处理。分片最大的坏处就是降低了传输性能,本来一次可以搞定的事情,分成多次搞定,所以在网络层更高一层(就是传输层)的实现中往往会对此加以注意!有些高层因为某些原因就会要求我这个面包不能切片,我要完整地面包,所以会在IP数据包包头里面加上一个标签:DF(Donot Fragment)。这样当这个IP数据包在一大段网络(水管里面)传输的时候,如果遇到MTU小于IP数据包的情况,转发设备就会根据要求丢弃这个数据包。然后返回一个错误信息给发送者。这样往往会造成某些通讯上的问题,不过幸运的是大部分网络链路都是MTU1500或者大于1500。
对于UDP协议而言,这个协议本身是无连接的协议,对数据包的到达顺序以及是否正确到达不甚关心,所以一般UDP应用对分片没有特殊要求。
对于TCP协议而言就不一样了,这个协议是面向连接的协议,对于TCP协议而言它非常在意数据包的到达顺序以及是否传输中有错误发生。所以有些TCP应用对分片有要求---不能分片(DF)。
花开两朵,各表一枝,说完MTU的故事我们该讲讲今天的第二个猪脚---PPPoE所谓PPPoE就是在以太网上面跑PPP协议,有人奇怪了,PPP协议和Ethernet不都是链路层协议吗?怎么一个链路层跑到另外一个链路层上面去了,难道升级成网络层协议了不成。其实这是个误区:就是某层协议只能承载更上一层协议。为什么会产生这种奇怪的需求呢?这是因为随着宽带接入(这种宽带接入一般为Cable Modem或者xDSL或者以太网的接入)由于以太网缺乏认证计费机制而传统运营商是通过PPP协议来对拨号等接入服务进行认证计费的,所以就出了这么一个怪胎:PPPoE。(有关PPPoE的详细介绍参见V大以及本站其他成员的一些介绍文章,我就不啰里啰唆的了)。
PPPoE带来了好处,也带来了一些坏处,比如:二次封装耗费资源,降低了传输效能等等,这些坏处俺也不多说了,最大的坏处就是PPPoE导致MTU变小了以太网的MTU是1500,再减去PPP的包头包尾的开销(8Bytes),就变成1492。如果两台主机之间的某段网络使用了PPPoE那么就会导致某些不能分片的应用无法通讯。这个时候就需要我们调整一下主机的MTU,通过降低主机的MTU,这样我们就能够顺利地进行通讯了。
当然对于TCP应用而言还有另外的解决方案。马上请出今天第三位猪脚:MSS。MSS最大传输大小的缩写,是TCP协议里面的一个概念。MSS就是TCP数据包每次能够传输的最大数据分段。为了达到最佳的传输效能TCP协议在建立连接的时候通常要协商双方的MSS值,这个值TCP协议在实现的时候往往用MTU值代替(需要减去IP数据包包头的大小20Bytes和TCP数据段的包头20Bytes)所以往往MSS为1460。通讯双方会根据双方提供的MSS值得最小值确定为这次连接的最大MSS值。
介绍完这三位猪脚,我们回过头来看前言里面的那个问题,我们试想一下,如果我们在中间路由器上把每次TCP连接的最大MSS进行调整这样使得通过PPPoE链路的最大MSS值加上数据包头包尾不会超过PPPoE的MTU大小1492这样就不会造成无法通讯的问题,所以上面的问题可以通过ip tcp adjust-mss 1452来解决,当然问题也可以通过修改PC机的MTU来解决。
不改MSS会如何?有可能会出现部分网站打不开,例如陶宝,在线银行什么的。或者开网页慢,都可能和MSS有关系的。
修改办法(2927版本)
IP==>>Firwwall==>>Mangle==>>点+号==>>
General页
Chain:forward
Protocol:tcp
Advanced页
Tcpflags选SYN
Action页
action:Change mss
new tcpmss:1472
关于MSS数值的多少,以及取值办法~
ping 目标网站 -f -l 1500 然后看能否PING通,如果PING不通,就以4为单位往下减,目标网站可以是
你想访问,但访问不了,也可以是其他一些网站,这个要求不多。。
比如我PING 百度
ping www.baidu.com -f -l 1500
得到以下提示:
程序代码
C:\>ping www.baidu.com -f -l 1500
Pinging www.a.shifen.com [202.108.22.5] with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 202.108.22.5:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
这就说明,1500这个MSS数值不可取,需要往下了换,那么就以4位单位往下减,减到通为止,就是1500-4=???自己去算了。我这里是1472才通的,所以我改的就是1472
程序代码
C:\>ping www.baidu.com -f -l 1472
Pinging www.a.shifen.com [202.108.22.5] with 1472 bytes of data:
Reply from 202.108.22.5: bytes=1472 time=29ms TTL=53
Reply from 202.108.22.5: bytes=1472 time=29ms TTL=53
Reply from 202.108.22.5: bytes=1472 time=29ms TTL=53
Reply from 202.108.22.5: bytes=1472 time=29ms TTL=53
Ping statistics for 202.108.22.5:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 29ms, Maximum = 29ms, Average = 29ms
这就是通了,基于给地网络状况不同,所以MSS也不仅相同,大家要自己测试,多做试验。
htb terms:
queuing discipline (qdisc) - an algorithm that holds and maintains a queue of packets. it specifies the order of the outgoing packets (it means that queuing discipline can reorder packets). qdisc also decides which packets to drop if there is no space for them
filter - a procedure that classifies packets. the filter is responsible for classifying packets so that they are put in the corresponding qdiscs
level - position of a class in the hierarchy
inner class - a class that has one or more child-classes attached to it. inner classes do not store any packets, but they do traffic shaping. the class also does not have its own priority
leaf class - a class that has a parent but does not have any child-classes. leaf classes are always located at level 0 of the hierarchy. each leaf class has a qdisc, attached to it
self feed - an object that represents the exit for the packets from all the classes active at its level of the hierarchy. it consists of 8 self slots
self slot - an element of a self feed that corresponds to each particular priority. all classes, active at the same level, of one priority are attached to one self slot that they are using to send packets out through
active class (at a particular level) - a class that is attached to a self slot at the given level
inner feed - similar to self feed object, which consists of inner self slots, present on each inner class
inner feed slot - similar to self slot. each inner feed consists of inner slots which represent a priority
each class has a parent and may have one or more children. classes that do not have children, are put at level 0, where queues are maintained, and are called 'leaf classes'
htb术语:
排队规则(qdisc):保存和保持一列数据包的算法。它确定了流出的包的次序(这意味着排队规则可以对包重新排序)。当空间已满,qdisc也确定丢弃哪个个包。
过滤器(filter):分类包的过程。filter负责把包分类,使他们放入相应的排队规则中。
层(level):在分层制中一个类所处的层次。
内部类(inner class):包含一个或一个以上子类的类。内部类不储存包,但它们做流量调整。他们自己没有优先级。
叶类(leaf class):有父类,但是没有子类的类。leaf class在分层制中总处于第0层(level 0),每个 leaf class都附有一个排队规则(qdisc)。
自载入流(self feed):代表从活动在它所在层的所有的类中流出包的对象。它由8个self slot组成(对应于8个优先级)。
自接口(self slot):self feed的组成部分,它对应于每个优先级。所有处于同一层次的同一优先级的类,附属于同一self slot,并通过它来送出数据包。
(在特定层中的)活动类(active class):在指定层中属于某个self slot的类。
内部载入流(inner feed):类似于self feed对象,由inner feed slot组成,是每个inner class的入口。
内部载入接口(inner feed slot):类似于self slot。每个inner feed由代表各自优先级的inner slot们组成。
每个类有一个父类,可能有一个或一个以上的子类。没有子类的类被放在第0层(level 0),类里存有队列,并被称为“叶类”。
each class in the hierarchy can prioritize and shape traffic. there are 2 main parameters in routeros which refer to shaping and one - to prioritizing:
limit-at - data rate that is guaranteed to a class (cir)
max-limit - maximal data rate that is allowed for a class to reach (mir)
priority - order in which classes are served at the same level (8 is the lowest priority, 1 is the highest)
在层次中的每个类可以重排和调整流量。在routeros中有2个参数涉及调整,一个涉及到重排:
limit-at:确保给一个类的传输率。(cir)
max-limit:允许一个类所能达到的最大传输率(mir)
priority:在同一层次中类被处理的次序(8是最低的优先级,1最高)
each htb class can be in one of 3 states, depending on data rate that it consumes:
green - a class the actual rate of which is equal or less than limit-at. at this state, the class is attached to self slot at the corresponding priority at its level, and is allowed to satisfy its limit-at limitation regardless of what limitations its parents have. for example, if we have a leaf class with limit-at=512000 and its parent has max-limit=limit-at=128000, the class will get its 512kbps!
yellow - a class the actual rate of which is greater than limit-at and equal or less than max-limit. at this state, the class is attached to the inner slot of the corresponding priority of its parent's inner feed, which, in turn, may be attached to either its parent's inner slot of the same priority (in case the parent is also yellow), or to its own level self slot of the same priority (in case the parent is green). upon the transition to this state, the class 'disconnects' from self feed of its level, and 'connects' to its parent's inner feed
red - a class the actual rate of which exceeds max-limit. this class cannot borrow rate from its parent class
根据所耗用的带宽,每个htb类可能处与3种状态之一。
绿色:类的实际带宽小于等于其limit-at带宽。在这种状态下,类被附在它所在层的相应优先级的inner slot上,并被允许满足其limit-at带宽,无论它父类的限制带宽是多少。例如:如果有一个leaf class的limit-at=512000,它父类的max-limit=limit-at=128000,该leaf class可以达到512kbps!
***:类的实际带宽大于其limit-at,但小于等于max-limit。在此状态下,类被附于它父类inner feed的与它优先级相应的inner slot上;而父类的inner feed可能附于“祖父类”的相应优先级的inner slot(在父类也是***状态时)或者它(父类)所在层相应优先级的self slot(在父类是绿色状态时)上。在转换为这种状态时,类与他所在层的self feed“断开”,与他父类的inner feed“连接”。
红色:类的实际带宽超过max-limit。这个类不能从其父类处借用带宽。
